User Profiling in GUI based Windows Systems for Intrusion Detection

Intrusion detection is the process of identifying any unauthorized access to a sys- tem. This process inspects user behavior to identify any possible attack or intrusion. There exists two type of intrusion detection systems (IDSs): signature-based IDS and anomaly-based IDS. This project concentrates on anomaly-based intrusion detection technique. This technique is based on the deviation of intruder’s actions from the authenticated user’s actions. Much previous research has focused on the deviation of command line input in UNIX systems. However, these techniques fail to detect attacks on modern GUI- based systems, where typical user activities include mouse movements and keystrokes. Our project aims to create a dataset suitable for testing intrusion detection strate- gies on GUI-based operating systems. We have developed an event logging tool to capture GUI-based user data on Windows systems. We have collected a large dataset which we analyze using a intrusion detection strategy based on hidden Markov models (HMM)

Using Computer Behavior Profiles to Differentiate between Users in a Digital Investigation

Most digital crimes involve finding evidence on the computer and then linking it to a suspect using login information, such as a username and a password. However, login information is often shared or compromised. In such a situation, there needs to be a way to identify the user without relying exclusively on login credentials. This paper introduces the concept that users may show behavioral traits which might provide more information about the user on the computer. This hypothesis was tested by conducting an experiment in which subjects were required to perform common tasks on a computer, over multiple sessions. The choices they made to complete each task was recorded. These were converted to a \u27behavior profile,\u27 corresponding to each login session. Cluster Analysis of all the profiles assigned identifiers to each profile such that 98% of profiles were attributed correctly. Also, similarity scores were generated for each session-pair to test whether the similarity analysis attributed profiles to the same user or to two different users. Using similarity scores, the user sessions were correctly attributed 93.2% of the time. Sessions were incorrectly attributed to the same user 3.1% of the time and incorrectly attributed to different users 3.7% of the time. At a confidence level of 95%, the average correct attributions for the population was calculated to be between 92.98% and 93.42%. This shows that users show uniqueness and consistency in the choices they make as they complete everyday tasks on a system, and this can be useful to differentiate between them. Keywords: computer behavior users, interaction, investigation, forensics, graphical inter-face, windows, digital Keywords: computer behavior users, interaction, investigation, forensics, graphical inter- face, windows, digita

Computer Based Behavioral Biometric Authentication via Multi-Modal Fusion

Biometric computer authentication has an advantage over password and access card authentication in that it is based on something you are, which is not easily copied or stolen. One way of performing biometric computer authentication is to use behavioral tendencies associated with how a user interacts with the computer. However, behavioral biometric authentication accuracy rates are much larger then more traditional authentication methods. This thesis presents a behavioral biometric system that fuses user data from keyboard, mouse, and Graphical User Interface (GUI) interactions. Combining the modalities results in a more accurate authentication decision based on a broader view of the user\u27s computer activity while requiring less user interaction to train the system than previous work. Testing over 30 users, shows that fusion techniques significantly improve behavioral biometric authentication accuracy over single modalities on their own. Two fusion techniques are presented, feature fusion and decision level fusion. Using an ensemble based classification method the decision level fusion technique improves the FAR by 0.86% and FRR by 2.98% over the best individual modality

Data Collection and Analysis for Masquerade Attack Detection: Challenges and Lessons Learned

Real-world large-scale data collection poses an important challenge in the security field. Insider and masquerader attack data collection poses even a greater challenge. Very few organizations acknowledge such breaches because of liability concerns and potential implications on their market value. This caused the scarcity of real-world data sets that could be used to study insider and masquerader attacks. In this paper, we present the design, technical, and procedural challenges encountered during our own masquerade data gathering project. We also share some lessons learned from this several-year project related to the Institutional Review Board process and to user study design

On the Design and Execution of Cyber-Security User Studies: Methodology, Challenges, and Lessons Learned

Real-world data collection poses an important challenge in the security field. Insider and masquerader attack data collection poses even a greater challenge. Very few organizations acknowledge such breaches because of liability concerns and potential implications on their market value. This caused the scarcity of real-world data sets that could be used to study insider and masquerader attacks. Moreover, user studies conducted to collect such data lack rigor in their design and execution. In this paper, we present the methodology followed to conduct a user study and build a data set for evaluating masquerade attack detection techniques. We discuss the design, technical, and procedural challenges encountered during our own masquerade data gathering project, and share some of the lessons learned from this several-year project

On the Design and Execution of Cyber-Security User Studies: Methodology, Challenges, and Lessons Learned

Real-world data collection poses an important challenge in the security field. Insider and masquerader attack data collection poses even a greater challenge. Very few organizations acknowledge such breaches because of liability concerns and potential implications on their market value. This caused the scarcity of real-world data sets that could be used to study insider and masquerader attacks. Moreover, user studies conducted to collect such data lack rigor in their design and execution. In this paper, we present the methodology followed to conduct a user study and build a data set for evaluating masquerade attack detection techniques. We discuss the design, technical, and procedural challenges encountered during our own masquerade data gathering project, and share some of the lessons learned from this several-year project

Modeling User Search-Behavior for Masquerade Detection

Masquerade attacks are a common security problem that is a consequence of identity theft. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We extend prior research by devising taxonomies of UNIX commands and Windows applications that are used to abstract sequences of user commands and actions. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 0.13%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features

Masquerade Attack Detection Using a Search-Behavior Modeling Approach

Masquerade attacks are unfortunately a familiar security problem that is a consequence of identity theft. Detecting masqueraders is very hard. Prior work has focused on user command modeling to identify abnormal behavior indicative of impersonation. This paper extends prior work by presenting one-class Hellinger distance-based and one-class SVM modeling techniques that use a set of novel features to reveal user intent. The specific objective is to model user search profiles and detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We extend prior research that uses UNIX command sequences issued by users as the audit source by relying upon an abstraction of commands. We devise taxonomies of UNIX commands and Windows applications that are used to abstract sequences of user commands and actions. We also gathered our own normal and masquerader data sets captured in a Windows environment for evaluation. The datasets are publicly available for other researchers who wish to study masquerade attack rather than author identification as in much of the prior reported work. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 0.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in huge performance gains over the same modeling techniques that use larger sets of features

Modeling User Search Behavior for Masquerade Detection

Masquerade attacks are a common security problem that is a consequence of identity theft. This paper extends prior work by modeling user search behavior to detect deviations indicating a masquerade attack. We hypothesize that each individual user knows their own file system well enough to search in a limited, targeted and unique fashion in order to find information germane to their current task. Masqueraders, on the other hand, will likely not know the file system and layout of another user's desktop, and would likely search more extensively and broadly in a manner that is different than the victim user being impersonated. We identify actions linked to search and information access activities, and use them to build user models. The experimental results show that modeling search behavior reliably detects all masqueraders with a very low false positive rate of 1.1%, far better than prior published results. The limited set of features used for search behavior modeling also results in large performance gains over the same modeling techniques that use larger sets of features

The Wolf of SUTD (TWOS): A dataset of malicious insider threat behavior based on a gamified competition

In this paper we present open research questions and options for data analysis of our previously designed dataset called TWOS: The Wolf of SUTD. In specified research questions, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit only to malicious insider threat detection but are also related to authorship verification and identification, continuous authentication, and sentiment analysis. For the purpose of investigating the research questions, we present several state-of-the-art features applicable to collected data sources, and thus we provide researchers with a guidance how to start with data analysis. The TWOS dataset was collected during a gamified competition that was devised in order to obtain realistic instances of malicious insider threat. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior,we designed two types of malicious periods that was intended to capture the behavior of two types of insiders – masqueraders and traitors. The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days. Their activities were monitored by several data collection agents and producing data for mouse, keyboard, process and file-system monitor, network traffic, emails, and login/logout data sources. In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. The TWOS dataset was made publicly accessible for further research purposes. In this paper we present the TWOS dataset that contains realistic instances of insider threats based on a gamified competition. The competition simulated user interactions in/among competing companies, where two types of behaviors (normal and malicious) were incentivized. For the case of malicious behavior, we designed sessions for two types of insider threats (masqueraders and traitors). The game involved the participation of 6 teams consisting of 4 students who competed with each other for a period of 5 days, while their activities were monitored considering several heterogeneous sources (mouse, keyboard, process and file-system monitor, network traffic, emails and login/logout). In total, we obtained 320 hours of active participation that included 18 hours of masquerader data and at least two instances of traitor data. In addition to expected malicious behaviors, students explored various defensive and offensive strategies such as denial of service attacks and obfuscation techniques, in an effort to get ahead in the competition. Furthermore, we illustrate the potential use of the TWOS dataset in multiple areas of cyber security, which does not limit to malicious insider threat detection, but also areas such as authorship verification and identification, continuous authentication, and sentiment analysis. We also present several state-of-the-art features that can be extracted from different data sources in order to guide researchers in the analysis of the dataset. The TWOS dataset is publicly accessible for further research purposes. © 2018, Innovative Information Science and Technology Research Group. All rights reserved